Connection to red team domain

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a connection is established to a domain used for penetration testing.

Strategy

Some application security testing tools use common domains. For example, the web application security platform Burp Suite uses burpcollaborator[.]net in some payloads. These services assist in determining if an attack was successful. This detection contains a list of known domains used for penetration testing.

The tools in this rule are free to use or open-source. Use is not limited to ethical penetration testing teams.

Triage and response

  1. Determine the process that made the connection.
  2. Review related signals, application traces, and related logs to understand the full timeline of the incident.
  3. Isolate the workload, preserving it for analysis.
  4. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.